Meet Your New Coding Partner: Building with Agentic AI

The future of software development is being shaped by agentic AI, systems that can make decisions, act, and learn on the fly. Developers are now building intelligent collaborations that handle complex tasks, adapt in real time, and unlock new possibilities for automation and co-creation. At PayPal, we’re embracing this shift with the Agent Toolkit, a growing set of tools to help developers build secure, scalable agentic applications. 

In this blog, we take a deep dive into how agentic tools are built and how they function, explore the core design principles behind them, examine how security is addressed, and share our perspective on the future of agentic AI toolkits.

From Manual Tasks to Intelligent Agents: How We Built PayPal’s Agentic Tools*

In a pre-agentic world, if a merchant wanted to generate an invoice with specific discounts, they had to log in, fill out forms, and share links manually; often repeating steps. Now, with agentic AI, the same task happens instantly through a simple conversation. 

At the core of this transformation is the Model Context Protocol (MCP), an open standard we built to connect AI agents with data and services. Think of it like the USB-C, but for AI. PayPal has built the MCP server which helps AI agents to connect with PayPal data and services, using the MCP open standard.

MCP enables: 

• Two-way, real-time connections 
• Local access for Agent workflows and Remote access for direct user interaction 
• Multi-agent workflows 

PayPal has remotely hosted its MCP server, enabling merchants to use it as an enterprise extension with any AI assistant that supports MCP client connections. Now, it’s plug-and-play. Just connect your agent to the PayPal MCP server, and it’s instantly equipped with PayPal’s full suite of services, with no manual API wiring needed. 

In the sections ahead, we’ll show how these tools can help in building AI agents in real-world scenarios, walk through how we built them, and share the key design and security decisions that made them possible. Agentic AI is here and it's changing how we build.

A Real-World Use Case: Selling Cookies with Agentic AI

Let’s say a merchant wants a developer to create an AI agent to help sell cookies online. The merchant can now interact with the Agent directly enquiring about the cookie menu and purchasing them. 

If the agent is equipped with PayPal MCP Tools, then the agent can use PayPal's payment capabilities to help the merchant to complete the purchase. If the merchant wants to proceed with purchase, agent will invoke the mcp toolkit and then toolkit can will take care of invoking create_invoice and send_invoice APIs. 

From there, the agent toolkit can automatically call the APIs, returning a secure invoice link back to the customer. The customer clicks the link, completes the payment, and the transaction is done seamlessly. 

The PayPal MCP server acts as the bridge, giving your agent everything it needs to handle payments without custom integrations.

Design Principles: Building Agentic Tools the Right Way

Building reliable, scalable, and trustworthy agentic tools requires a solid foundation of design and governance principles, and that’s exactly what the Agent Toolkit delivers.  

Tools are stored in a central registry, a consistent, discoverable location making them easily accessible to agents. Strict access control ensures only authorized agents can invoke specific tools, enforced through allowed_agents lists and environment restrictions.  

Each tool carries a unique, structured identity encompassing domain, version, and ID, supporting smooth versioning and upgrades. Inputs and outputs adhere to clear schema contracts, explicitly typed and documented for dependable behavior both at build time and runtime. 

Tools are grouped logically by domain, such as payments.*, enabling easy discovery and orchestration by function. Policy guardrails are in place with declarative configurations managing retries, rate limits, and timeouts, protecting against misuse and keeping system integrity. 

Every tool call is logged comprehensively with timestamps, inputs, and outputs, ensuring full auditability and compliance via platforms like ELK or Datadog. Finally, tools undergo lifecycle reviews, tagged with metadata like last_reviewed and deprecated, with defined review cycles tracked in MCP dashboards, keeping the toolkit fresh and well-governed. 

These principles ensure that every tool in the PayPal Agent Toolkit is secure, maintainable, and ready to support production-grade agentic applications.

Tool Structure and Behavior: What Makes Each Tool Tick

Understanding what a tool does and how it behaves is essential to building effective agentic AI systems. Our tools are designed to be modular and single-purpose, each focused on one clear function and crafted around action-oriented verbs. They feature concise, unambiguous input and output schemas that require only essential data, promoting clarity and efficiency. 

To support safe development, tools enable testing flows without side effects, while explicitly signaling the necessary upstream context for proper execution. Structured error handling provides error codes and retriable flags to guide agent responses and recovery. 

Being latency-aware, tools consider cumulative delays when calling multiple APIs to keep smooth performance. Their runtime behavior contracts guarantee predictability and reliability. Additionally, they are built for composable planning allowing easy chaining in multi-step workflows with structured, deterministic, and referential outputs. 

By adhering to these principles, our tools are not only powerful but predictable and easy to integrate, enabling developers to build sophisticated agentic workflows with confidence.

Tool Lifecycle Management: Ensuring Tools Evolve Safely

Building great agentic tools means managing their entire lifecycle with care and precision. We start by monitoring usage patterns, tracking total calls, agent-specific activity, current trends, and failure rates to understand how tools perform in real-world scenarios. Continuous integration checks ensure that new tool versions meet strict schema, testing, and latency standards before they’re promoted. 

Tools are tagged by maturity, distinguishing experimental features from production-ready solutions. When usage declines or maturity wanes, automated deprecation workflows smoothly sunset outdated tools, while stale tools with little or no recent activity are flagged for review. Detailed change histories and metadata support rollback and reproducibility, and lifecycle dates enable time-based governance for audits and reviews. 

Crucially, backward compatibility management ensures agents can migrate seamlessly to new tools without disrupting existing workflows, keeping reliability throughout the evolution of the toolkit. 

This lifecycle approach helps keep the PayPal Agent Toolkit robust, secure, and aligned with evolving business needs.

How to Secure MCP Tools: Protocol and Context Security

Security is paramount when connecting AI agents with powerful tools. The PayPal MCP toolkit addresses several key risks and enforces controls to protect data and operations:

Common Security Risks: 

Common security risks in agentic AI systems often start with oversharing data,sending fields that aren’t relevant to the tool, which unnecessarily increases exposure. Sensitive information can also slip through as PII leakage in logs, while unencrypted credentials sent in plaintext pose serious threats. 

Replay attacks exploit the malicious reuse of communication envelopes to repeat actions, especially when tools lack proper signatures like HMAC or JWT to verify payload integrity. Insufficient context scoping may expose more information than necessary, creating vulnerabilities, and ambiguous or unverified agent identities open doors to spoofing. 

Without strict output controls, sensitive data can be leaked to downstream agents, and missing input validation allows schema violations to go unchecked. Finally, the absence of policy enforcement risks agents accessing tools beyond their authorized permissions, highlighting the need for robust security measures at every step.

Security Controls and Benefits: 

Security is at the core of PayPal’s Agent Toolkit, with multiple layers of controls designed to protect data and keep integrity. TLS and mTLS secure data in transit, ensuring both privacy and authenticity, while HMAC and JWT signatures verify payload integrity to prevent tampering. Nonce values and issued-at timestamps guard against replay attacks by confirming the freshness of requests. 

Schema validation filters out malformed or oversized inputs to prevent abuse, and field-level encryption safeguards raw credentials and personally identifiable information (PII) from exposure. PII tagging further enhances privacy by masking or suppressing sensitive data in logs and analytics. 

Context scoping restricts data to only whitelisted fields, minimizing the attack surface, while responses are carefully designed to exclude PII, reducing outbound exposure. Finally, strict tool-policy enforcement ensures that only authorized agents can access restricted tools, supporting robust control throughout the system. 

Together, these security measures ensure that PayPal’s MCP tools keep trustworthiness and safety, allowing developers to build powerful agentic applications without compromising on privacy or control.

Beyond MCP: Agent-to-Agent Communication (A2A) 

Building on MCP’s secure, typed tool and memory access inside agents, PayPal is exploring Agent-to-Agent (A2A) communication: Google’s recently released protocol for dynamic cross-agent discovery and task delegation.

In a typical scenario, a user calls a merchant’s agent to buy an item. The merchant’s agent queries an A2A broker, which finds the PayPal agent. The A2A agent returns an agent card containing endpoints, capabilities, and trust levels. 

Once the merchant agent verifies trustworthiness, an authentication process with the PayPal A2A agent issues an auth token. This token authenticates the required service, after which the agent hands control over to the MCP client for further processing. 

This combination of MCP and A2A protocols enables seamless, secure, and dynamic collaboration between multiple agents, expanding the horizons of what agentic AI can achieve.

Conclusion: The Future of Agentic AI Protocols

Today’s agentic AI ecosystem relies on complementary protocols like MCP, A2A, and OpenAI innovations, each enabling secure, coordinated agent workflows. Looking forward, current trends like universal tool registries, event-driven models, and privacy-focused designs will shape innovation. With a focus on interoperability, security, governance, and developer experience, the PayPal Agent Toolkit accelerates AI app development through standardized orchestration and modular, observable components, paving the way for seamless cross-agent collaboration and decentralized networks. 

This is just the beginning of a new era where intelligent agents work together effortlessly, securely, and on a scale.  

Ready to build the next generation of intelligent agents? Explore PayPal’s Agent Toolkit today and start creating secure, scalable agentic AI applications that transform how businesses and customers interact. 

*Disclaimer: PayPal Agent Toolkit provides access to AI-generated content that may be inaccurate or incomplete. Users are responsible for independently verifying any information before relying on it. PayPal makes no guarantees regarding output accuracy and is not liable for any decisions, actions, or consequences resulting from its use.